AWS Security Group Restricts Ingress On Administrative Ports

This policy validates that AWS Security Groups don't allow unrestricted inbound traffic on port 3389 or 22, ports commonly used for the remote access protocols RDP and SSH respectively.

Remote access protocols allow direct access and remote code execution on systems listening for those protocols if the protocol initiator can successfully authenticate. This has wide ranging security implications, even with strong password/authentication policies in place, and it is best practice to limit this access only to IP ranges it is necessary to open such access from for remote administration.

Ports 3389 and 22 are just two commonly used ports, similar precautions should be taken for any port being used for remote access protocols.


To remediate this, implement least privilege policies for all security groups allowing unrestricted ingress on ports 3389 and 22. This could have wide ranging consequences if these rules are in use. Taking the actions listed below will break network connectivity for any resources in these VPC's using these overly permissive rules. It is highly recommended to first migrate these resources off into dedicated security groups with the minimum access necessary to perform their roles configured. VPC Flow Logging can help profile current network usage, and inform what how to build the least privilege rules necessary to not break any instances in these VPCs.


  • CIS AWS Benchmark 4.1 "Ensure no security groups allow ingress from to port 22"

  • CIS AWS Benchmark 4.2 "Ensure no security groups allow ingress from to port 3389"

Last updated